Threat Description

Pri

Details

Aliases: Pri, PSD, Pri.A
Category: Malware
Type: Virus
Platform: W97M

Summary



W97M/Pri is a polymorphic Word 97 macro virus.

It activates when an infected document is opened. At this point it will check whether the global template is already infected or not. If it is not, the virus copies itself and modifies itself during this process.

When the virus has infected the global tempate, it infects all documents when they are closed. Also, the "Tools/Macros/Visual Basic Editor" menu is hooked which renders it in unusable state.

When the virus infects documents or the global template, it checks if the hour of the current time and minutes are the same. If the check passes, the payload will be create ten random shapes of random colors to the current document.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:Pri.B

This variant is very similar to W97M/Pri.A with only a few differences.

This variant adds a code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit immediately without saving any changes.

The other difference is that the payload will create a random number of shapes instead of ten when activated.


Variant:Pri.Q (Prilissa, Melissa.W, Melissa.AG, W97M.Antisocial.G)

This variant contains a mass mailing part stolen from W97M/Melissa and a destructive payload.

Futher information about W97M/Melissa is available at: http://www.F-Secure.com/v-descs/melissa.shtml

The payload activates on 25th December. At that time the virus overwrites first "C:\Autoexec.bat" with a code that will format the "C:" drive immediately after the system has been restarted. However, this payload does not work in Windows NT. "Autoexec.bat" contains the following text, also:

  Vine...Vide...Vice...Moslem Power Never End...
    Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!

When the virus has overwritten "C:\Autoexec.bat" it shows a message box with the following text:

  Vine...Vide...Vice...Moslem Power Never End...
    You Dare Rise Against Me...The Human Era is Over, The CyberNET
    Era Has Come !!!

After that the virus adds a random number of shapes to the active document. These shapes are filled with a random color.

The virus mass mails itself to the first 50 recipients listed in each address book. The message that it sends looks like this:

  Subject:    Message From (User Name)
    Body:       This document is very Important
    and you've GOT to read this !!!

Where "(User Name)" is replaced with the name of the infected user. The message contains a copy of the infected active document, too.

Then the virus changes the registry to mark that the mass mailing has been done. The key

  HKEY_CURRENT_USER\Software\Microsoft\Office\CyberNET

is set to value:

  (C)1999 - Indonesia by AnomOke!

Once it has mass mailed itself, the virus replicates when a document is opened or closed.

The virus disables the built-in virus protection and hides the last recently opened files in the "File" menu. It also hooks both "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus.





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More